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j^jy In this work, we study position-based cryptography in the quantum setting. The aim is to 

use the geographical position of a party as its only credential. On the negative side, we show 
that if adversaries are allowed to share an arbitrarily large entangled quantum state, no secure 
position- verification is possible at all. To this end, we prove the following very general result. 
Assume that Alice and Bob hold respectively subsystems A and B of a (possibly) unknown 
quantum state l^) € Ha ® Hb- Their goal is to calculate and share a new state \<p) = U\i(>), 
where U is a fixed unitary operation. The question that we ask is how many rounds of mutual 
communication are needed. It is easy to achieve such a task using two rounds of classical 
communication, whereas in general, it is impossible with no communication at all. 

Surprisingly, in case Alice and Bob share enough entanglement to start with and we allow 
an arbitrarily small failure probability, we show that the same task can be done using a single 
round of classical communication in which Alice and Bob simultaneously exchange two classical 
messages. Actually, we prove that a relaxed version of the task can be done with no communi- 
cation at all, where the task is to compute instead a state \<p') that coincides with \<p) = U\ip) 
up to local operations on A and on B, which are determined by classical information held by 
Alice and Bob. The one-round scheme for the original task then follows as a simple corollary. 
We also show that these results generalize to more players. As a consequence, we show a generic 
, attack that breaks any position-verification scheme. 

£Sj ' On the positive side, we show that if adversaries do not share any entangled quantum 

, state but can compute arbitrary quantum operations, secure position-verification is achievable. 

Jointly, these results suggest the interesting question whether secure position-verification is 
possible in case of a bounded amount of entanglement. Our positive result can be interpreted 
as resolving this question in the simplest case, where the bound is set to zero. 

In models where secure positioning is achievable, it has a number of interesting applications. 
For example, it enables secure communication over an insecure channel without having any 
pre-shared key, with the guarantee that only a party at a specific location can learn the content 



of the conversation. More generally, we show that in settings where secure position- verification 
is achievable, other position-based cryptographic schemes are possible as well, such as secure 
position-based authentication and position-based key agreement. 
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1 Introduction 



1.1 Background 

The goal of position-based cryptography is to use the geographical position of a party as its only 
"credential" . For example, one would like to send a message to a party at a geographical position pos 
with the guarantee that the party can decrypt the message only if he or she is physically present 
at pos. The general concept of position-based cryptography was introduced by Chandran, Goyal, 
Moriarty and Ostrovsky [CGMO09]; certain specific related tasks have been considered before under 
different names (see below and Section 1.3). 

A central task in position-based cryptography is the problem of position-verification. We have 
a prover P at position pos, wishing to convince a set of verifiers Vq, . . . ,Vk (at different points in 
geographical space) that P is indeed at that position pos. The prover can run an interactive protocol 
with the verifiers in order to convince them. The main technique for such a protocol is known as 
distance bounding [BC94]. In this technique, a verifier sends a random nonce to P and measures 
the time taken for P to reply back with this value. Assuming that the speed of communication is 
bounded by the speed of light, this technique gives an upper bound on the distance of P from the 
verifier. 

The problem of secure positioning has been studied before in the field of wireless security, 
and there have been several proposals for this task ([BC94, SSW03, VN04, Bus04, CH05, SP05, 
ZLFW06, CCS06]). However, [CGMO09] shows that there exists no protocol for secure positioning 
that offers security in the presence of multiple colluding adversaries. In other words, the set of 
verifiers cannot distinguish between the case when they are interacting with an honest prover 
at pos and the case when they are interacting with multiple colluding dishonest provers, none of 
which is at position pos. Their impossibility result holds even if one makes computational hardness 
assumptions, and it also rules out most other interesting position-based cryptographic tasks. 

In light of the strong impossibility result, [CGMO09] considers a setting that assumes restric- 
tions on the parties' storage capabilities, called the Bounded-Retrieval Model (BRM) in the full 
version of [CGMO09], and constructs secure protocols for position- verification and for position- 
based key exchange (wherein the verifiers, in addition to verifying the position claim of a prover, 
also exchange a secret key with the prover). While these protocols give us a way to realize position- 
based cryptography, the underlying setting is relatively hard to justify in practice. 

This leaves us with the question: are there any other assumptions or settings in which position- 
based cryptography is realizable? 

1.2 Our Approach and Our Results 

In this work, we study position-based cryptography in the quantum setting. To start with, let 
us briefly explain why moving to the quantum setting might be useful. The impossibility result 
of [CGMO09] relies heavily on the fact that an adversary can locally store all information she 
receives and at the same time share this information with other colluding adversaries, located 
elsewhere. Recall that the positive result of [CGMO09] in the BRM circumvents the impossibility 
result by assuming that an adversary cannot store all information he receives. By considering the 
quantum setting, one may be able to circumvent the impossibility result thanks to the following 
observation. If some information is encoded into a quantum state, then the above attack fails due to 
the no-cloning principle: the adversary can either store the quantum state or send it to a colluding 
adversary (or do something in-between, like store part of it), but not both. 

However, this intuition turns out to be not completely accurate. Once the adversaries pre-share 
entangled states, they can make use of quantum teleportation [BBC + 93]. Although teleportation 
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on its own does not appear to immediately conflict with the above intuition, we show that, based 
on techniques by Vaidman [Vai03] , adversaries holding a large amount of entangled quantum states 
can perform instantaneous nonlocal quantum computation, which in particular implies that they 
can compute any unitary operation on a state shared between them, using only local operations and 
one round of classical mutual communication. Based on this technique, we show how a coalition of 
adversaries can attack and break any position-verification scheme. 

Interestingly, sharing entangled quantum systems is vital for attacking the position-verification 
scheme. We show that there exist schemes that are secure in the information-theoretic sense, if 
the adversary is not allowed to pre-share or maintain entanglement. Furthermore, we show how 
to construct secure protocols for several position-based cryptographic tasks: position-verification, 
authentication, and key exchange. 

This leads to an interesting open question regarding the amount of pre-shared entanglement 
required to break the positioning scheme: the case of a large amount of pre-shared states yields a 
complete break of any scheme while having no pre-shared states leads to information-theoretically 
secure schemes. The threshold of pre-shared quantum systems that keeps the system secure is yet 
unknown. 

1.3 Related Work 

To the best of our knowledge, quantum schemes for position-verification have first been con- 
sidered by Kent in 2002 under the name of "quantum tagging". Together with Munro, Spiller 
and Beausoleil, a patent for an (insecure) scheme was filed for HP Labs in 2004 and granted in 
2006 [KMSB06]. Their results have not appeared in the academic literature until 2010 [KMS10]. In 
that paper, they describe several basic schemes and describe how to break them using teleportation- 
based attacks. They propose other variations (Schemes IV- VI in [KMS10]) not suspect to their 
teleportation attack and leave their security as an open question. Our general attack shows that 
these schemes are insecure as well. 

Concurrent and independent of our work and the work on quantum tagging described above, 
the approach of using quantum techniques for secure position- verification was proposed by Malaney 
[MallOa, MallOb]. However, the proposed scheme is merely claimed secure, and no rigorous security 
analysis is provided. As pointed out in [KMS10], Malaney's schemes can also be broken by a 
teleportation-based attack. Chandran et al. have proposed and proved secure a quantum scheme 
for position- verification [CFG + 10]. However, their proof implicitly assumed that the adversaries 
have no pre-shared entanglement; as shown in [KMS10], their scheme also becomes insecure without 
this assumption. 

In a subsequent paper [LL11], Lau and Lo use similar ideas as in [KMS10] to show the insecurity 
of position-verification schemes that are of a certain (yet rather restricted) form, which include the 
schemes from [MallOa, MallOb] and [CFG + 10]. Furthermore, they propose a position- verification 
scheme that resists their attack, and they conjecture it secure. While these protocols might be 
secure if the adversaries do not pre-share entanglement, our attack shows that all of them are 
insecure in general. 

In a recent note [KenlO], Kent considers a different model for position-based cryptography 
where the prover's position is not his only credential, but he is assumed to additionally share with 
the verifiers a classical key unknown to the adversary. In this case, quantum key distribution can 
be used to expand that key ad infinitum. This classical key stream is then used as authentication 
resource. 

The idea of performing "instantaneous measurements of nonlocal variables" has been put for- 
ward by Vaidman [Vai03] and was further investigated by Clark et al. [CCJP10]. The concept of 
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instantaneous nonlocal quantum computation presented here is an extension of Vaidman's task. 
After the appearance and circulation of our work, Beigi and Konig [BK11] used the technique 
of port-based teleportation by Ishizaka and Hiroshima [IH08, IH09] to reduce the amount of en- 
tanglement required to perform instantaneous nonlocal quantum computation (from our double 
exponential) to exponential. 

In [GLM02], Giovannetti et al. show how to measure the distance between two parties by 
quantum cryptographic means so that only trusted people have access to the result. This is a 
different kind of problem than what we consider, and the techniques used there are not applicable 
in our setting. 

1.4 Our Attack and Our Schemes in More Detail 

Position- Verification - A Simple Approach. Let us briefly discuss the 1-dimensional case in 
which we have two verifiers Vo and V± , and a prover P at position pos that lies on the straight line 
between Vo and V±. Now, to verify P's position, Vo sends a BB84 qubit H e \x) to P, and V\ sends 
the corresponding basis 9 to P. The sending of these messages is timed in such a way that H e \x) 
and 9 arrive at position pos at the same time. P has to measure the qubit in basis 9 to obtain x, 
and immediately send x to both Vo and V\ , who verify the correctness of x and if it has arrived "in 
time" . 

The intuition for this scheme is the following. Consider a dishonest prover Pq between Vo and P, 
and a dishonest prover Pi between V\ and P. (It is not too hard to see that additional dishonest 
provers do not help.) When Po receives the BB84 qubit, she does not know yet the corresponding 
basis 9. Thus, if she measures it immediately when she receives it, she is likely to measure it in 
the wrong basis and Po and Pi will not be able to provide the correct x. However, if she waits 
until she knows the basis 9, Pq and Pi will be too late in sending x to Vi in time. Similarly, if she 
forwards the BB84 qubit to Pi, who receives 9 before Po does, then Po and Pi will be too late in 
sending x to Vo- It seems that in order to break the scheme, Po needs to store the qubit until she 
receives the basis 9 and at the same time send a copy of it to P\. But such actions are excluded 
by the no-cloning principle. 

The Attack and Instantaneous Nonlocal Quantum Computation. The above intuition 
turns out to be wrong. Using pre-shared entanglement, Po and Pi can perform quantum telepor- 
tation which enables them (in some sense) to act coherently on the complete state immediately 
upon reception. Combining this fact with the observation by Kent et al. [KMS10] that the Pauli- 
corrections resulting from the teleportation commute with the actions of the honest prover in the 
above protocol shows that colluding adversaries can perfectly break the protocol. 

Much more generally, we will show how to break any position-verification scheme, possibly con- 
sisting of multiple (and interleaved) rounds. To this end, we will show how to perform instantaneous 
nonlocal quantum computation. In particular, we prove that any unitary operation U acting on a 
composite system shared between players can be computed using only a single round of mutual 
classical communication. Based on ideas by Vaidman [Vai03], the players teleport quantum states 
back and forth many times in a clever way, without awaiting the classical measurement outcomes 
from the other party's teleportations. 

Position- Verification in the No Pre-shared Entanglement (No-PE) Model. On the other 
hand, the above intuition is correct in the no pre-shared entanglement (No-PE) model, where the 
adversaries are not allowed to have pre-shared entangled quantum states prior the execution the 
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protocol, or, more generally, prior the execution of each round of the protocol in case of multi- 
round schemes. Even though this model may be somewhat unrealistic and artificial, analyzing 
protocols in this setting serves as stepping stone to obtaining protocols which tolerate adversaries 
who pre-share and maintain some limited amount of entanglement. But also, rigorously proving 
security in the restrictive (for the adversary) No-PE model is already non-trivial and requires heavy 
machinery. Our proof uses the strong complementary information trade-off (CIT) due to Renes and 
Boileau [RB09], and it guarantees that for any strategy, the success probability of Pq and P\ is 
bounded by approximately 0.89. By repeating the above simple scheme sequentially, we get a 
secure multi-round positioning scheme with exponentially small soundness error. We note that 
when performing sequential repetitions in the No-PE model, the adversaries must enter each round 
with no entanglement; thus, they are not allowed to generate entanglement in one round, store it, 
and use it in the next round(s). 

Position-based authentication and key-exchange in the No-PE Model. Our position- 
based authentication scheme is based on our position-verification scheme. The idea is to start with 
a "weak" authentication scheme for a 1-bit message m: the verifiers and P execute the secure 
position- verification scheme; if P wishes to authenticate m = 1, then P correctly finishes the 
scheme by sending x back, but if P wishes to authenticate m = 0, P sends back an "erasure" _L 
instead of the correct reply x with some probability q (which needs to be carefully chosen). This 
authentication scheme is weak in the sense that turning 1 into is easy for the adversary, but 
turning a into a 1 fails with constant probability. 

The idea is to use a suitable balanced encoding of the actual message to be authenticated, so that 
for any two messages, the adversary needs to turn many 0's into l's. Unfortunately, an arbitrary 
balanced encoding is not good enough. The reason is that we do not assume the verifiers and the 
honest P to be synchronized. This asynchrony allows the adversary to make use of honest P who 
is authenticating one index of the encoded message, in order to authenticate another index of the 
modified encoded message towards the verifiers. 

Nevertheless, we show that the above approach does work for carefully chosen codes. We show 
that, for instance, the bit-wise encoding which maps into 00...011...1 and 1 into 11...100...0 is 
such a code. 

Our solution borrows some ideas from [RW03, KR09, CKOR10] on authentication based on 
weak secrets. However, since in our setting we cannot do liveness tests (to check that the verifier 
is alive in the protocol), the techniques from [RW03, KR09, CKOR10] do not help us directly. 

Given a position-based authentication scheme, one can immediately obtain a position-based key- 
exchange scheme simply by (essentially) executing an arbitrary quantum-key-distribution scheme 
(e.g. [BB84]), which assumes an authenticated classical communication channel, and authenticate 
the classical communication by means of the position-based authentication scheme. 

1.5 Organization of the paper 

In Section 2, we begin by introducing notation, and presenting the relevant background from 
quantum information theory. In Section 3, we describe the problem of position-verification and 
define our standard quantum model, as well as the No-PE model in more detail. A protocol for 
computing any unitary operation using local operations and one round of classical communication 
is provided and analyzed in Section 4, and in Section 5 we conclude that there does not exist any 
protocol for position-verification (and hence, any protocol for position-based cryptographic tasks) 
in the standard quantum model. We present our position-verification protocol in the No-PE model 
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in Section 6. Section 7 is devoted to our position-based authentication protocol and showing how 
to combine the above tools to obtain position-based key exchange. 

2 Preliminaries 

2.1 Notation and Terminology 

We assume the reader to be familiar with the basic concepts of quantum information theory and 
refer to [NCOO] for an excellent introduction; we merely fix some notation. 

Qubits. A qubit is a quantum system A with a 2-dimensional state space Ha = C 2 . The compu- 
tational basis {|0), |1)} (for a qubit) is given by |0) = L) and |1) = (°), and the Hadamard basis 
by H {|0), |1)} = {H\0),H\1)}, where H denotes the 2-dimensional Hadamard matrix, which maps 
|0) to (]0> + ]1»/V2 and |1) to (|0) - \1))/V2. The state space of an n-qubit system A = A 1 ■■■ A n 
is given by the 2 n -dimensional space Ha = (C 2 )® n = C 2 <g> • • • <g) C 2 . 

Since we mainly use the above two bases, we can simplify terminology and notation by identify- 
ing the computational basis {|0), |1)} with the bit and the Hadamard basis H {|0), |1)} with the 
bit 1. Hence, when we say that an n-qubit state \ip) G (C 2 )®" is measured in basis 8 G {0, l} n , we 
mean that the state is measured qubit-wise where basis H 9i {|0), |1)} is used for the i-th qubit. As 
a result of the measurement, the string x G {0, 1}™ is observed with probability \{ip\H e \x)\ 2 , where 
H e = H Ql ® • • • (8> H e " and \x) = \xi) ® • • • <g> \x n ). 

An important example of a 2-qubit state is the EPR pair, which is given by |3>ab) = (|0)|0) + 
|l)|l))/v2 G Ha ®Hb = C 2 8) C 2 and has the following properties: if qubit A is measured in 
the computational basis, a uniformly random bit x £ {0, 1} is observed and qubit B collapses to 
\x). Similarly, if qubit A is measured in the Hadamard basis, a uniformly random bit x G {0, 1} is 
observed and qubit B collapses to H\x). 

Density Matrices and Trace Distance. For any complex Hilbert space H, we write D(H) 
for the set of all density matrices acting on H. We measure closeness of two density matrices p 
and a in T>(H) by their trace distance: 5{p,a) := ^tr|/5 — a\. One can show that for any physical 
processing of two quantum states described by p and a, respectively, the two states behave in an 
indistinguishable way except with probability at most 5(p,o~). Thus, informally, if 5{p,a) is very 
small, then without making a significant error, the two quantum states can be considered equal. 

Classical and Hybrid Systems (and States). Subsystem AT of a bipartite quantum sys- 
tem XE is called classical, if the state of XE is given by a density matrix of the form pxE = 
^2ix&x Px{x)\x)(x\ <g> p x E , where X is a finite set of cardinality \X\ = dim('Hx) ) Px '■ X — > [0,1] 
is a probability distribution, {|x)} a;6i y is some fixed orthonormal basis of Hx, and p% is a den- 
sity matrix on He for every x G X. Such a state, called hybrid state (also known as cg-state, for 
classical and guantum), can equivalently be understood as consisting of a random variable X with 
distribution Px and range X, and a system E that is in state p x E exactly when X takes on the 
value x. This formalism naturally extends to two (or more) classical systems X, Y etc. as well as 
to two (or more) quantum systems. 

Teleportation. The goal of teleportation is to transfer a quantum state from one location to 
another by only communicating classical information. Teleportation requires pre-shared entangle- 
ment among the two locations. Specifically, to teleport a qubit Q in an arbitrary (and typically 
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unknown) state from Alice to Bob, Alice performs a Bell- measurement on Q and her half of an 
EPR-pair, yielding a classical measurement outcome k € {0, 1, 2, 3}. Instantaneously, the other half 
of the corresponding EPR pair, which is held by Bob, turns into the state at where <To, o*i, o~2, °3 
denote the four Pauli-corrections {I, X, Z, XZ}, respectively, and cr denotes the complex conjugate 
of the transpose of a. The classical information k is then communicated to Bob who can recover the 
state \tp) by performing on his EPR half. Note that the operator is Hermitian and unitary, 
thus a\ = Ok and cr^er], = I- 

2.2 Some Quantum Information Theory 

The von Neumann entropy of a quantum state p S T>(H) is given by H(p) := — tr(plog(p)) , where 
here and throughout the article, log denotes the binary logarithm. H(p) is non-negative and at most 
log(dim(%)). For a bi-partite quantum state pab G 'D^Ha ® "Hs), the conditional von Neumann 
entropy of ^4 given is defined as H(pab|-B) := H(pab) — H(pe). In cases where the state 
is clear from the context, we may write H(A|J3) instead of H(pab\B). If X and Y are both 
classical, H(A|y) coincides with the classical conditional Shannon entropy. Furthermore, in case 
of conditioning (partly) on a classical state, the following holds. 

Lemma 2.1. For any tri-partite state paby with classical Y : ~H.(A\BY) = ^ y Py(v) H(p^ B |.B). 

Lemma 2.1 along with the concavity of H and Jensen's inequality implies that for classical Y: 
H(A) > H(.A|y) > 0. The proof of Lemma 2.1 is given in Appendix A. 

The following theorem is a generalization of the well-known Holevo bound [Hol73] (see also [NC00]), 
and follows from the monotonicity of mutual information. Informally, it says that measuring only 
reduces your information. Formally, and tailored to the notation used here, it ensures the following. 

Theorem 2.2. Let pab £ P(^a < 2? ) ^b) be an arbitrary bi-partite state, and let pay be obtained by 
measuring B in some basis to observe (classical) Y . Then ~K{A\Y) > H(A|£>). 

For classical X and Y, the Fano inequality [Fan61] (see also [CT91]) allows to bound the 
probability of correctly guessing X when having access to Y . In the statement below and throughout 
the article, h : [0, 1] — > [0, 1] denotes the binary entropy function defined as h(p) = —plog(p) — (1 — 
p) log(l — p) for < p < 1 and as h(p) = for p = or 1, and h _1 : [0, 1] — > [0, ^] denotes its 
inverse on the branch < p < \ . 

Theorem 2.3 (Fano inequality). Let X and Y be random variables with ranges X and y, respec- 
tively, and let X be a guess for X computed solely from Y . Then q := P[X ^ X] satisfies 

h(g) + glog(|*|-l)>H(X|y) . 

Ln particular, for binary X: q > h~ 1 (H(A|y)). 

2.3 Strong Complementary Information Tradeoff 

The following entropic uncertainty principle, called strong complementary information tradeoff 
(CIT) in [RB09] and generalized in [BCC + 10], is at the heart of our security proofs. It relates 
the uncertainty of the measurement outcome of a system A with the uncertainty of the measure- 
ment outcome when the complementary basis is used instead, and it guarantees that there can 
coexist at most one system E that has full information on both possible outcomes. Note that 
by the complementary basis 9 of a basis 9 = (9i, . . . ,9 n ) £ {0, l} n , we mean the n-bit string 
9 = (0i, ... , 9 n ) G {0, l} n with Bi + 9 t for all i. 
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Theorem 2.4 (CIT). Let \iPaef) £ Ha ®T~Le ®T~Lf be an arbitrary tri-partite state, where T~La = 
(C 2 )® n . Let the hybrid state pxef be obtained by measuring A in basis 9 6 {0,1}™, and let the 
hybrid state o~xef be obtained by measuring A (of the original state \iPaef) ) i n the complementary 
basis 9. Then 

R(p XE \E) +R(a XF \F) >n . 

CIT in particular implies the following (the proof is given in Appendix A): 

Corollary 2.5. Let \iPaef) G tLa®'He®'Hf be an arbitrary tri-partite state, where tLa = (C 2 )® n . 
Let be uniformly distributed in {0, l} n and let X be the result of measuring A in basis Q. Then 

B.(X\@E) + R(X\QF) > n . 

3 Setup and The Task of Position Verification 
3.1 The Security Model 

We informally describe the model we use for the upcoming sections, which is a quantum version of 
the Vanilla (standard) model introduced in [CGMO09] (see there for a full description). We also 
describe our restricted model used for our security proof, that we call the no pre-shared entanglement 
(No-PE) model. We consider entities Vo, ■ ■ ■ , Vf. called verifiers and an entity P, the (honest) prover. 
Additionally, we consider a coalition P of dishonest prover s (or adversaries) Pq, . . . , Pg. All entities 
can perform arbitrary quantum (and classical) operations and can communicate quantum (and 
classical) messages among them. 

For our positive results, we consider a restricted model, which prohibits entanglement between 
the dishonest verifiers. Specifically, the No-PE model is such that the dishonest provers enter every 
new round of communication, initiated by the verifiers, with no pre-shared entanglement. That is, 
in every round, a dishonest prover can send an entangled quantum state only after it receives the 
verifier's message, and the dishonest provers cannot maintain such an entangled state in order to 
use it in the next round. As mentioned in the introduction, considering this simple (but possibly 
unrealistic) model may help us in obtaining protocols that are secure against adversaries with 
limited entanglement. 

For simplicity, we assume that quantum operations and communication are noise-free; however, 
our results generalize to the more realistic noisy case, assuming that the noise is low enough. We 
require that the verifiers have a private and authenticated channel among themselves, which allows 
them to coordinate their actions by communicating before, during or after protocol execution. We 
stress however, that this assumption does not hold for the communication between the verifiers 
and P: P has full control over the destination of messages communicated between the verifiers 
and P (both ways). In particular, the verifiers do not know per-se if they are communicating with 
the honest or a dishonest prover (or a coalition of dishonest provers). 

The above model is extended by incorporating the notion of time and space. Each entity 
is assigned an arbitrary fixed position pos in the d-dimensional space M. d , and we assume that 
messages to be communicated travel at fixed velocity v (e.g. with the speed of light), and hence 
the time needed for a message to travel from one entity to another equals the Euclidean distance 
between the two (assuming that v is normalized to 1). This timing assumption holds for honest 
and dishonest entities. We assume on the other hand that local computations take no time. 

Finally, we assume that the verifiers have precise and synchronized clocks, so that they can 
coordinate exact times for sending off messages and can measure the exact time of a message 
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arrival. We do not require P's clock to be precise or in sync with the verifiers. However, we do 
assume that P cannot be reset. 

This model allows to reason as follows. Consider a verifier Vo at position pos , who sends a 
challenge cho to the (supposedly honest) prover claiming to be at position pos. If Vo receives a 
reply within time 2d(pos ,pos), where d(-, •) is the Euclidean distance measure in R d and thus also 
measures the time a message takes from one point to the other, then Vo can conclude that he is 
communicating with a prover that is within distance d(pos ,pos). 

We stress that in our model, the honest prover P has no advantage over the dishonest provers 
beyond being at its position pos. In particular, P does not share any secret information with the 
verifiers, nor can he per-se authenticate his messages by any other means. 

Throughout the article, we require that the honest prover P is enclosed by the verifiers Vo, - - - , V& 
in that the prover's position pos € M. d lies within the tetrahedron, i.e., convex hull, Hull(pos , ■ ■ ■ ,pos k ) C 
M. d formed by the respective positions of the verifiers. Note that in this work we consider only stand- 
alone security, i.e., there exists only a single execution with a single honest prover, and we do not 
guarantee concurrent security. 

3.2 Secure Position Verification 

A position- verification scheme should allow a prover P at position pos E M. d (in d-dimensional space) 
to convince a set of A; +1 verifiers Vo, ■ ■ ■ , V&, who are located at respective positions pos , . . . ,pos k £ 
]R rf , that he is indeed at position pos. We assume that P is enclosed by Vo, . . . , 14 . We require 
that the verifiers jointly accept if an honest prover P is at position pos, and we require that the 
verifiers reject with "high" probability in case of a dishonest prover that is not at position pos. 
The latter should hold even if the dishonest prover consist of a coalition of collaborating dishonest 
provers Pq, . . . , Pg at arbitrary positions apos , . . . ,apos£ G M. d with apos i ^ pos for all i. We 
refer to [CGMO09] for the general formal definition of the completeness and security of a position- 
verification scheme. In this article, we mainly focus on position- verification schemes of the following 
form: 

Definition 3.1. A 1-round position-verification scheme PV = (Chlg, Resp, Ver) consists of the 
following three parts. A challenge generator Chlg, which outputs a list of challenges (cho, . . . ,ch k ) 
and auxiliary information x; a response algorithm Resp, which on input a list of challenges outputs 
a list of responses (x' , . . . , x' k ); and a verification algorithm Ver with Ver(x , . . . , x' k ,x) £ {0, 1}. 

PV is said to have perfect completeness if Ver(cc , . . . , x' k , x) = 1 with probability 1 for 
(cho, . . . , ch k ) and x generated by Chlg and (x' , . . . , x' k ) by Resp on input (cho, ■ ■ ■ , ch k ). 

The algorithms Chlg, Resp and Ver are used as described in Figure 1 to verify the claimed 
position of a prover P. We clarify that in order to have all the challenges arrive at P's (claimed) 
location pos at the same time, the verifiers agree on a time T and each Vj sends off his challenge 
chi at time T — d(pos i ,pos). As a result, all ch^s arrive at P's position pos at time T. In Step 3, Vi 
receives x\ in time if x\ arrives at V^'s position poSj at time T + d(pos i ,pos). Throughout the article, 
we use this simplified terminology. Furthermore, we are sometimes a bit sloppy in distinguishing a 
party, like P, from its location pos. 

We stress that we allow Chlg, Resp and Ver to be quantum algorithms and chi, % and x\ to be 
quantum information. In our constructions, only cho will actually be quantum; thus, we will only 
require quantum communication from Vo to P, all other communication is classical. Also, in our 
constructions, x' = . . . = x' k , and Ver(x' , . . . , x' k ,x) = 1 exactly if x\ = x for all i. 

Definition 3.2. A 1-round position-verification scheme PV = (Chlg, Resp, Ver) is called e-sound 
if for any position pos G Hull(pos > • • • ->POS k ), and any coalition of dishonest provers Pq, . . . , p 
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Common input to the verifiers: their respective positions pos , . . . ,pos k , and P's (claimed) position pos. 

0. Vq generates a list of challenges (c/io, ■ ■ • , c/ifc) and auxiliary information x using Chlg, and sends 
chi to Vi for i = 1, . . . , k. 

1. Every Vi sends chi to P in such a way that all ch^s arrive at the same time at P's position pos. 

2. P computes (x' , . . . , x' k ) := Resp(cho, . . . , ch^) as soon as all the ch^s arrive, and he sends x[ to 
Vi for every i. 

3. The Vi's jointly accept if and only if all V,'s receive x\ in time and Ver(a;g, ... ,x' k ,x) = 1. 



Figure 1: Generic 1-round position- verification scheme. 

at arbitrary positions apos , . . . ,apos e , all / pos, when executing the scheme from Figure 1 the 
verifiers accept with probability at most e. We write PV e for such a protocol. 

In order to be more realistic, we must take into consideration physical limitations of the equip- 
ment used, such as measurement errors, computation durations, etc. Those allow a dishonest prover 
which resides arbitrarily close to P to appear as if she resides at pos. Thus, we assume that all the 
adversaries are at least A-distanced from pos, where A is determined by those imperfections. For 
sake of simplicity, this A is implicit in the continuation of the paper. 

A position-verification scheme can also be understood as a (position-based) identification scheme, 
where the identification is not done by means of a cryptographic key or a password, but by means 
of the geographical location. 

4 Instantaneous Nonlocal Quantum Computation 

In order to analyze the (in)security of position-verification schemes, we first address a more general 
task, which is interesting in its own right: instantaneous nonlocal quantum computation 1 . Consider 
the following problem, involving two parties Alice and Bob. Alice holds A and Bob holds B 
of a tripartite system ABE that is in some unknown state \tp). The goal is to apply a known 
unitary transformation U to AB, but without using any communication, just by local operations. 
In general, such a task is clearly impossible, as it violates the non-signalling principle. The goal of 
instantaneous nonlocal quantum computation is to achieve almost the above but without violating 
non-signalling. Specifically, the goal is for Alice and Bob to compute, without communication, 
a state \(p') that coincides with \ip) = (U <S> T)\ijj) up to local and qubit-wise operations on A 
and B, where I denotes the identity on E. Furthermore, these local and qubit-wise operations 
are determined by classical information that Alice and Bob obtain as part of their actions. In 
particular, if Alice and Bob share their classical information, which can be done with one round of 
simultaneous mutual communication, then they can transform \ip') into \(p) = U\ip) by local qubit- 
wise operations. Following ideas by Vaidman [Vai03], we show below that instantaneous nonlocal 
quantum computation, as described above, is possible if Alice and Bob share sufficiently many EPR 
pairs. 

In the following, let %a^ T~Lb and %e be Hilbert spaces where the former two consist of ha and 
n B qubits respectively, i.e., Ha = (C 2 )® nA and Ub = (C 2 )® ns . Furthermore, let U be a unitary 

1 This is an extension of the task of "instantaneous measurement of nonlocal variables" introduced by Vaid- 
man [Vai03]. 
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matrix acting on Ha ®T~Lb- Alice holds system A and Bob holds system B of an arbitrary and 
unknown state € %abe — Ha ®T~iB®T~iE- Additionally, Alice and Bob share an arbitrary but 
finite number of EPR pairs. 

Theorem 4.1. For every unitary U and for every e > 0, given sufficiently many shared EPR pairs, 
there exist local operations A and B, acting on Alice's and Bob's respective sides, with the following 
property. For any initial state E Habe, the joint execution A®B transforms into \ipf) 
and provides classical outputs k to Alice and t to Bob, such that the following holds except with 
probability e. The state \ip') coincides with \cp) = (U (8) U P to local qubit-wise operations on 

A and B that are determined by k and i. 

We stress that A acts on A as well as on Alice's shares of the EPR pairs, and the corresponding 
holds for B. Furthermore, being equal up to local qubit-wise operations on A and B means that 
Iv 5 ) = (Vi^t ® ^kt ® ^)W)i where {V k A p}k^ and {V k B e }k/ are fixed families of unitaries which act 
qubit-wise on Ha an d T~Lb, respectively. In our construction, the V k \ and V^'s will actually be 
tensor products of one-qubit Pauli operators. 

As an immediate consequence of Theorem 4.1, we get the following. 

Corollary 4.2. For every unitary U and for every e > 0, given sufficiently many shared EPR pairs, 
there exists a nonlocal operation AB for Alice and Bob which consists of local operations and one 
round of mutual communication, such that for any initial state € H-abe of the tripartite system 
ABE, the joint execution of AB transforms \ip) into \ip) = (U ®T)\xp), except with probability e. 

For technical reasons, we will actually prove the following extension of Theorem 4.1, which is 
easily seen equivalent. The difference to Theorem 4.1 is that Alice and Bob are additionally given 
classical inputs: x to Alice and y to Bob, and the unitary U that is to be applied to the quantum 
input depends on x and y. In the statement below, x ranges over some arbitrary but fixed finite 
set X, and y ranges over some arbitrary but fixed finite set y. 

Theorem 4.3. For every family {U Xt y} of unitaries and for every e > 0, given sufficiently many 
shared EPR pairs, there exist families {A x } and {By} of local operations, acting on Alice's and 
Bob's respective sides, with the following property. For any initial state S %abe and for every 
x £ X and y € y, the joint execution A x <g> B y transforms the state into \(p') and provides 
classical outputs k to Alice and I to Bob, such that the following holds except with probability e. 
The state \tp') coincides with \ip) = {U X) y 8>I)|?/>) up to local qubit-wise operations on A and B that 
are determined by k and i. 

The solution works by teleporting states back and forth in a clever way [Vai03], but without 
communicating the classical outcomes of the Bell measurements, so that only local operations are 
performed. Thus, in the formal proof below, whenever we say that a state is teleported, it should 
be understood in this sense, i.e., the sender makes a Bell measurement resulting in some classical 
information, and the receiver takes his shares of the EPR pairs as the received state, but does/can 
not (yet) correct it. 

Proof. To simplify notation, we assume that the joint state of A and B is pure, and thus we may 
ignore system E. However, all our arguments also hold in case the state of A and B is entangled 
with E. 

Next, we observe that it is sufficient to prove Theorem 4.3 for the case where B is "empty", i.e., 
dim%_B = 1 arid thus ns = 0. Indeed, if this is not the case, Alice and Bob can do the following. 
Bob first teleports B to Alice. Now, Alice holds A' = AB with ua< = nA + ns, and Bob's system 
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has collapsed and thus Bob holds no quantum state anymore, only classical information. Then, 
they do the nonlocal computation, and in the end Alice teleports B back to Bob. The modification 
to the state of B introduced by teleporting it to Alice can be taken care of by modifying the set 
of unitaries {U x ,y} accordingly (and making it dependent on Bob's measurement outcome, thereby 
extending the set y). Also, the modification to the state of B introduced by teleporting it back 
to Bob does not harm the requirement of the joint state being equal to \ip) = U x ,y\ib) up to local 
qubit-wise operations. 

Hence, from now on, we may assume that B is "empty", and we write n for ua- Next, we 
describe the core of how the local operations A x and B y work. To simplify notation, we assume 
that X = {1, . . . , m}. Recall that Alice and Bob share (many) EPR pairs. We may assume that 
the EPR pairs are grouped into groups of size n; each such group we call a teleportation channel. 
Furthermore, we may assume that m of these teleportation channels are labeled by the numbers 1 
up to m, and that another m of these teleportation channels are labeled by the numbers m + 1 up 
to 2m. 

1. Alice teleports \ib) to Bob, using the teleportation channel that is labeled by her input x. Let 
us denote her measurement outcome by k £ {0, 1, 2, 3} n . 

2. For every i £ {1, . . . , m}, Bob does the following. He applies the unitary Ui >y to the n qubits 
that make up his share of the EPR pairs given by the teleportation channel labeled by i. 
Then, he teleports the resulting state to Alice using the teleportation channel labeled by 
m + i. We denote the corresponding measurement outcome by £ a ^. 

3. Alice specifies the n qubits that make up her share of the EPR pairs given by the teleportation 
channel labeled by m + x to be the state |<//). 

Let us analyze the above. With probability l/4 n , namely if k = • • • 0, teleporting \tb) to Bob 
leaves the state unchanged. In this case, it is easy to see that the resulting state \(p') satisfies the 
required property of being identical to \(p) = U Xj y\ib) up to local qubit-wise operations determined 
by £ 0)X , and thus determined by x and £ = (£ ,i, ■ ■ ■ ,£o,m)- This proves the claim for the case 
where e > 1 — 1 /4 n . 

We show how to reduce e. The crucial observation is that if in the above procedure k ^ • • • 0, 
and thus \ipf) is not necessarily identical to \ip) up to local qubit-wise operations, then 

W) = Ve , x U Xj yV k M = Vi , x u x , y v ko ui v W) , 

where Vi o x and Vk a are tensor products of Pauli matrices. Thus, setting := \(p'), x' := (x, k ) 
and y' := (y,£ ), and U' x , y , := U Xi yVf. Ui iy Ve ox , the state \tp) can be written as \ip) = U' x , ^W)- 
This means, we are back to the original problem of applying a unitary, U', ,,,, to a state, lib'), held 
by Alice, where the unitary depends on classical information x and y , known by Alice and Bob, 
respectively. Thus, we can re-apply the above procedure to the new problem instance. Note that 
in the new problem instance, the classical inputs x' and y' come from larger sets than the original 
inputs x and y, but the new quantum input, \tp'}, has the same qubit size, n. Therefore, re-applying 
the procedure will succeed with the same probability l/4 n . 

As there is a constant probability of success in each round, re-applying the above procedure 
sufficiently many times to the resulting new problem instances guarantees that except with arbitrary 
small probability, the state \(p') will be of the required form at some point (when Alice gets k = 
• • • 0). Say, this is the case at the end of the j-th iteration. Then, Alice stops with her part of the 
procedure at this point, keeps the state \tp'}, and specifies k to consist of j and of her classical input 
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into the j-th iteration (which consists of x and of the & 's from the prior j — 1 iterations). Since 
Bob does not learn whether an iteration is successful or not, he has to keep on re- iterating up to 
some bound, and in the end he specifies t to consist of the £ 's collected over all the iterations. The 
state | ip 1 ) equals \<p) = U Xjy \^} up to local qubit-wise operations that are determined by k and I. □ 

Doing the maths shows that the number of EPR pairs needed by Alice and Bob in the scheme 
described in the proof is double exponential in ua + ub, the qubit size of the joint quantum system. 

In recent subsequent work [BK11], Beigi and Konig have used a different kind of quantum 
teleportation by Ishizaka and Hiroshima [IH08, IH09] to reduce the amount of entanglement needed 
to to perform instantaneous nonlocal quantum computation to exponential in the qubit size of the 
joint quantum system. It remains an interesting open question whether such an exponentially large 
amount of entanglement is necessary. 

In Appendix B, we explain how to perform instantaneous nonlocal quantum computation among 
more than two parties. 

5 Impossibility of Unconditional Position Verification 

In this section we show that no position- verification scheme is secure against a coalition of quantum 
adversaries in the Vanilla model. For simplicity, we consider the one-dimensional case, with two 
verifiers Vq and V\, but the attack can be generalized to higher dimensions and more verifiers. 

We consider an arbitrary position- verification scheme in our model (as specified in Section 3.1). 
We recall that in this model, the verifiers must base their decision solely on what the prover replies 
and how long it takes him to reply, and the honest prover has no advantage over a coalition of 
dishonest provers beyond being at the claimed position 2 . Such a position- verification scheme may 
be of the form as specified in Figure 1, but may also be made up of several, possibly interleaved, 
rounds of interaction between the prover and the verifiers. 

For the honest prover P, such a general scheme consists of steps that look as follows. P holds 
a local quantum register R, which is set to some default value at the beginning of the scheme. In 
each step, P obtains a system A from Vq and a system B from Vi, and Vq and V\ jointly keep some 
system E. Let \ip) be the state of the four-partite system ABRE; it is determined by the scheme 
and by the step within the scheme we are focussing on. P has to apply a fixed 3 known unitary 
transformation U to ABR, and send the (transformed) systems A and B back to Vq and V\ (and 
keep R). Note that after the transformation, the state of ABRE is given by \ip) = (U <g> 1)1^)) 
where I is the identity acting on %e- For technical reasons, as in Section 4, it will be convenient 
to distinguish between classical and quantum inputs, and therefore, we let the unitary U depend 
on classical information x and y, where x has been sent by Vq along with A, and y has been sent 
by V\ along with B. 

We show that a coalition of two dishonest provers Pq and Pi, where Pq is located in between 
Vo and P and P\ is located in between V\ and P, can perfectly simulate the actions of the honest 
prover P, and therefore it is impossible for the verifiers to distinguish between an honest prover 
at position pos and a coalition of dishonest provers at positions different from pos. The simulation 
of the dishonest provers perfectly imitates the computation as well as the timing of an honest P. 
Since in our model this information is what the verifiers have to base their decision on, the general 
impossibility of position- verification in our model follows. 

2 In particular, the prover does not share any secret information with the verifiers, differentiating our setting from 
models as described for example in [KenlO]. 

3 U is fixed for a fixed scheme and for a fixed step within the scheme, but of course may vary for different schemes 
and for different steps within a scheme. 
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Consider a step in the scheme as described above, but now from the point of view of Po and P±. 
Since Po is closer to Vo, he will first receive A and x; similarly, Pi will first receive B and y. We 
specify that P\ takes care of and maintains the local register R. If the step we consider is the first 
step in the scheme, the state of ABRE equals \ip), as in the case of an honest P. In order to have 
an invariant that holds for all the steps, we actually relax this statement and merely observe that 
the state of ABRE, say \ip'), equals \ip) up to local and qubit-wise operations on the subsystem R, 
determined by classical information x Q and y , where Po holds x and Pi holds y . This invariant 
clearly holds for the first step in the scheme, when R is in some default state, and we will show 
that it also holds for the other steps. 

By Theorem 4.3, it follows that without communication, just by instantaneous local operations, 
P and Pi can transform the state \ip') into a state \(p') that coincides with \ip) — {U X) y <S> I)!^) 
up to local and qubit-wise transformations on A, B and R, determined by classical information k 
(known to Po) and £ (known to Pi). Note that the initial state is not \ip), but rather a state of the 
form = {y Xo ,yo ® where x Q is known to Po and y to Pi. Thus, Theorem 4.3 is actually 

applied to the unitary U' x , , = U X) yVx ,y , where x' = (x ,x) and y' = (y ,y)- Given \ipf) and k and 
£, Po and Pi can exchange k and £ using one mutual round of communication and transform \(p') 
into \(p") that coincides with \(p) up to qubit-wise operations only on R, and send A to Vq and B 
to V\. It follows that the state of ABE and the time it took Po and Pi for the computation and 
communication is identical to that of an honest P, i.e., Po and Pi have perfectly simulated this 
step of the scheme. 

Finally, we see that the invariant is satisfied, when moving on to the next step in the scheme, 
where Po and Pi receive new A and B (along with new classical x and y) from Vq and V\, respectively. 
Even if this new round interleaves with the previous round in that the new A and B etc. arrive 
before Pq and Pi have finished exchanging (the old) k and £, it still holds that the state of ABRE 
is as in the case of honest P up to qubit-wise operations on the subsystem R. It follows that the 
above procedure works for all the steps and thus that Po and Pi can indeed perfectly simulate 
honest P's actions throughout the whole scheme. 

6 Secure Position- Verification in the No-PE model 

6.1 Basic Scheme and its Analysis 

In this section we show the possibility of secure position-verification in the No-PE model. We 
consider the following basic 1-round position-verification scheme, given in Figure 2. It is based on 
the BB84 encoding. 



0. Vo chooses two random bits x, 6 € {0, 1} and privately sends them to Vy. 

1. Vo prepares the qubit H 6 \x) and sends it to P, and V\ sends the bit 9 to P, so that H \x) and 9 
arrive at the same time at P. 

2. When H 6 \x) and 9 arrive, P measures H e \x) in basis 9 to observe x' € {0, 1}, and sends x' to Vb 
and V\. 

3. Vo and Vi accept if on both sides x' arrives in time and x' - x. 



Figure 2: Position-verification scheme PV| Bg4 based on the BB84 encoding. 
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We implicitly specify that parties abort if they receive any message that is inconsistent with 
the protocol, for instance (classical) messages with a wrong length, or different number of received 
qubits than expected, etc. 

Theorem 6.1. The 1-round position-verification scheme PVf Bg4 from Figure 2 is e-sound with 
e = 1 - h _1 (i), in the No-PE model. 

Recall that h denotes the binary entropy function and h -1 its inverse on the branch < p < ^. 
A numerical calculation shows that h _1 (^) > 0.11 and thus e < 0.89. A particular attack for a 
dishonest prover P, sitting in-between Vq and P, is to measure the qubit H e \x) in the Breidbart 
basis, resulting in an acceptance probability of cos(7r/8) 2 ~ 0.85. This shows that our analysis is 
pretty tight. 

Proof. In order to analyze the position-verification scheme it is convenient to consider an equivalent 
purified version, given in Figure 3. The only difference between the original and the purified scheme 
is the preparation of the bit H e \x). In the purified version, it is done by preparing |5>ab) = 
(|0)|0) + |l)|l))/\/2 and measuring A in basis 9. This way of preparation changes the point in time 
when Vq measures A, and the point in time when V\ learns x. This, however, has no influence 
on the view of the (dishonest or honest) prover, nor on the joint distribution of 9, x and x', and 
thus neither on the probability that Vq and V\ accept. It therefore suffices to analyze the purified 
version. 



0. Vq and V\ privately agree on a random bit 9 £ {0, 1}. 

1. Vq prepares an EPR pair |$ab) G Ha ®Hb, keeps qubit A and sends B to P, and V\ sends the 
bit 9 to P, so that B and 9 arrive at the same time at P. 

2. When B and 9 arrive, P measures B in basis 9 to observe x' £ {0, 1}, and sends x' to Vq and V\. 

3. Only now, when x' arrives, Vq measures A in basis 9 to observe x, and privately sends x to V\. 
Vq and V\ accept if on both sides x' arrives in time and x' = x. 



Figure 3: EPR version of PV| Bg4 . 

We first consider security against two dishonest pr overs Pq and Pi, where Pq is between Vo and 
P and Pi is between V\ and P. In the end we will argue that a similar argument holds for multiple 
dishonest provers on either side. 

Since Vq and V\ do not accept if x' does not arrive in time and dishonest provers do not use 
pre-shared entanglement in the No-PE-model, any potentially successful strategy of Pq and Pi must 
look as follows. As soon as Pi receives the bit 9 from Vi, she forwards (a copy of) it to Pq. Also, 
as soon as Pq receives the qubit A, she applies an arbitrary quantum operation to the received 
qubit A (and maybe some ancillary system she possesses) that maps it into a bipartite state EqE\ 
(with arbitrary state space He <S) Hex), and Pq keeps Eq and sends E\ to P\. Then, as soon as Pq 
receives 9, she applies some measurement (which may depend on 9) to Eq to obtain xq, and as soon 
as Pi receives Pi, she applies some measurement (which may depend on 9) to Pi to obtain x±, and 
both send xq and x\ immediately to Vo and Vl, respectively. We will argue that the probability 
that xq = x and x\ = x is upper bounded by e as claimed. 

Let \ipAEoEx) £ 'Ha®7-Le ®'He 1 be the state of the tri-partite system AEqE\ after Pq has applied 
the quantum operation to the qubit B. Note that in the No-PE model, the quantum operation 



15 



and thus \ipAEoEx) does not depend on 9. 4 Recall that x is obtained by measuring A in either the 
computational (if 9 = 0) or the Hadamard (if 9 = 1) basis. Writing x, 9, etc. as random variables 
X, 0, etc., it follows from CIT (specifically Corollary 2.5) that R{X\OE ) + R(X\QE 1 ) > 1 . Let Y 
and Y\ denote the classical information obtained by Pq and P\ as a result of measuring Eq and E±, 
respectively, with bases that may depend on 0. By the (generalized) Holevo bound Theorem 2.2, 
it follows from the above that 

B(X\QYo) + B(X\eY 1 ) > 1 , 

therefore H(X|01i) > \ for at least one i G {0,1}. By Fano's inequality (Theorem 2.3), we can 
conclude that the corresponding error probability qi = P[Xi^X] satisfies h(qi) > \. It thus follows 
that the failure probability 

q = P[X ^XVX 1 ^X}>mBx{q ,q 1 }>h~ 1 ^) , 

and the probability of Vo and V\ accepting, P[Xq = X A X\ =X] = 1 — q, is indeed upper bounded 
by e as claimed. 

It remains to argue that more than two dishonest provers in the No-PE model cannot do any 
better. The reasoning is the same as above. Namely, in order to respond in time, the dishonest 
provers that are closer to Vo than P must map the qubit A — possibly jointly — into a bipartite state 
EqEi without knowing 9, and jointly keep Eq and send E\ to the dishonest provers that are "on 
the other side" of P (i.e., closer to Vi). Then, the reply for Vo needs to be computed from Eq and 9 
(possibly jointly by the dishonest provers that are closer to Vo), and the response for V\ from E\ 
and 9. Thus, it can be argued as above that the success probability is bounded by e as claimed. □ 

6.2 Reducing the Soundness Error 

In order to obtain a position-verification scheme with a negligible soundness error, we can simply 
repeat the 1-round scheme PV| Bg4 from Figure 2. Repeating the scheme n times in sequence, where 
the verifiers launch the next execution only after the previous one is finished, reduces the soundness 
error to e n . Recall that in the No-PE modeL defined in Section 3.1, the adversaries must start 
every round without pre-shared entanglement. Therefore, the security of the sequentually repeated 
scheme follows immediately from the security of the 1-round scheme. 

Corollary 6.2. In the No-PE model, the n-fold sequential repetition of PV| B84 from Figure 2 is 
e n -sound with e = 1 — h~ 1 (^). 

In terms of round complexity, a more efficient way of repeating P V| B84 is by repeating it in par- 
allel: Vq sends n BB84 qubits H dl \x\) : . . . , H 6n \x n ) and V± sends the corresponding bases 9±, . . . ,9 n 
to P so that they all arrive at the same time at P's position, and P needs to reply with the correct 
list x±, . . . , x n in time. This protocol is obviously more efficient in terms of round complexity and 
appears to be the preferred solution. However, we do not have a proof for the security of the parallel 
repetition of PV| Bg4 . 

6.3 Position Verification in Higher Dimensions 

The scheme PV| Bg4 can easily be extended into higher dimensions. The scheme for d dimensions 
is a generalization of the scheme PV| Bg4 in Figure 2, where the challenges of the verifiers Vi, V2, 

4 We stress that this independency breaks down if Po and Pi may start off with an entangled state, because then 
Pi can act on his part of the entangled state in a ^-dependent way, which makes the overall state dependent of 6. 
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. . ., Vd form a sum sharing of the basis 9, i.e., are random 61,62, ■ ■ ■ , 9d & {0, 1} such that their 
modulo-2 sum equals 9. As specified in Figure 1, the state H d \x) and the shares 9i are sent by the 
verifiers to P such that they arrive at P's (claimed) position at the same time. P can reconstruct 9 
and measure H e \x) in the correct basis to obtain x' = x, which he sends to all the verifiers who 
check if x' arrives in time and equals x. 

We can argue security by a reduction to the scheme in 1 dimension. For the sake of concreteness, 
we consider 3 dimensions. For 3 dimensions, we need a set of (at least) 4 non-coplanar verifiers 
Vo, . . . , V3, and the prover P needs to be located inside the tetrahedron defined by the positions 
of the 4 verifiers. We consider a coalition of dishonest provers Po,...,Pi at arbitrary positions 
but different to P. We may assume that Po is closest to Vq. It is easy to see that there exists a 
verifier Vj such that cI(Pq, Vj) > d{P, Vj). Furthermore, we may assume that Vj is not Vo and thus 
we assume for concreteness that it is V\. We strengthen the dishonest provers by giving them 62 
and 63 for free from the beginning. Since, when 62 and #3 are given, 6 can be computed from 9\ 
and vice versa, we may assume that V\ actually sends 9 as challenge rather than 0\. But now, #2 
and #3 are just two random bits, independent of 9 and x, and are thus of no help to the dishonest 
provers and we can safely ignore them. 

As Po is further away from V\ than P is, Po cannot afford to store H \x) until he has learned 9. 
Indeed, otherwise V\ will not get a reply in time. Therefore, before she learns 9, Pq needs to apply 
a quantum transformation to H e \x) with a bi-partite output and keep one part of the output, Eg, 
and send the other part, E\ to P\. Note that this quantum transformation is independent of 9, as 
long as Po does not share an entangled state with the other dishonest provers (who might know 9 
by now). Then, xq and x±, the replies that are sent to Vq and V\, respectively, need to be computed 
from 9 and Eq alone and from 9 and E\ alone. It follows from the analysis of the scheme in one 
dimension that the probability that both xq and x\ coincide with x is at most e = 1 — h _1 (|). 

Corollary 6.3. The above generalization of PV| B84 to d dimensions is e-sound in the No-PE model 
with e = 1 - h" 1 ^). 

7 Position-Based Authentication and Key-Exchange 

In this section we consider a new primitive: position-based authentication. In contrast to position- 
verification, where the goal of the verifiers is to make sure that entity P is at the claimed location 
pos, the verifiers want to make sure that a given message m originates from an entity P that is at 
the claimed location pos. We stress that it is not sufficient to first execute a position- verification 
scheme with P to ensure that P is at position pos and then have P send or confirm m, because 
a coalition of dishonest provers may do a man-in-the-middle attack and stay passive during the 
execution of the positioning scheme but modify the communicated message m. 

Formally, in a position-based authentication scheme the prover takes as input a message m and 
the verifiers Vo, . . . , take as input a message m' and the claimed position pos of P, and we require 
the following security properties. 

• e c - Completeness: If m = m', P is honest and at the claimed position pos, and if there is no 
(coalition of) dishonest prover (s), then the verifiers jointly accept except with probability e c . 

• e s -Soundness: For any pos £ Hull(pos ) • • • ,P° s k) an d for any coalition of dishonest provers 
Po; ■ ■ • > Pi & t locations all different to pos, if m 7^ m! , the verifiers jointly reject except with 
probability e s . 

We build a position-based authentication scheme based on our position- verification scheme. The 
idea is to incorporate the message to be authenticated into the replies of the position-verification 
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scheme. Our construction is very generic and may also be useful for turning other kinds of identifi- 
cation schemes (not necessarily position-based schemes) into corresponding authentication schemes. 
Our aim is merely to show the existence of such a scheme; we do not strive for optimization. We 
begin by proposing a weak position-based authentication scheme for a 1-bit message m. 

7.1 Weak 1-bit authentication scheme 

Let PV e be a 1-round position- verification scheme between k + 1 verifiers Vq, . . . ,Vk and a prover 
P. For simplicity, we assume that, like for the scheme PVg B84 from Section 6, x and x' , . . . ,x' k are 
classical, and Ver accepts if x\ = x for all i, and thus we understand the output of Resp(c/io, . . . , ch k ) 
as a single element x' (supposed to be x). We require PV e to have perfect completeness and 
soundness e < 1. We let _L be some special symbol. We consider the weak authentication scheme 
given in Figure 4 for a 1-bit message m G {0, 1}. We assume that m has already been communicated 
to the verifiers and thus there is agreement among the verifiers on the message to be authenticated. 
The weak authentication scheme works by executing the 1-round position- verification scheme PV e , 
but letting P replace his response x' by _L with probability q, to be specified later. 



0. Vq generates (c/io, . . . , chk) and x using Chlg and sends c/i, and x to for i = 1, . . . , k. 

1. Every verifier Vi sends chi to P in such a way that all c/ijS arrive at the same time at P. 

2. When the chiS arrive, P computes the authentication tag t as follows and sends it back to all the 
verifiers. 

If in = 1 then t := Resp(cft,o, ■ • ■ , chk), and if m = then t := _L with probability q and 
t := Resp(c/io, . . . , chk) otherwise. 

3. If different verifiers have received different values for t, or it didn't arrive in time, the verifiers 
abort. 

Otherwise, they jointly accept if t = x or both m — and t = _L. 



Figure 4: Generic position-based weak authentication scheme wAUTH e for 1-bit message m. 

We analyze the success probability of an adversary authenticating a bit m' £ {0, 1}. We consider 
the case where there is no honest prover present (we call this an impersonation attack), and the 
case where an honest prover is active and authenticates the bit m ^ m! (we call this a substitution 
attack) . 

The following properties are easy to verify and follow from the security property of PV £ . 

Lemma 7.1. Let P be a coalition of dishonest provers not at the claimed position and trying 
to authenticate message m! = 1. In case of an impersonation attack, the verifiers accept with 
probability at most e, and in case of a substitution attack (with m = 0), the verifiers accept with 
probability at most 6 = (1 — q) + qe = 1 — g(l — e) < 1. 

On the other hand, P can obviously authenticate m' = by means of a substitution attack 
with success probability 1; however, informally, P has bounded success probability in authenticating 
message vn! = by means of an impersonation attack unless he uses the tag _L. (This fact is used 
later to obtain a strong authentication scheme.) 

Let us try to extend the above in order to get a strong authentication scheme. Based on 
the observation that by performing a substitution attack on wAUTH £ , it is easy to substitute the 
message bit m = 1 by mf = but non-trivial to substitute m = by m! = 1, a first approach 
to obtain an authentication scheme with good security might be to apply wAUTH e bit-wise to a 
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balanced encoding of the message. Such an encoding should ensure that for any distinct messages 
m and m', there are many positions in which the encoding of ml is 1 but the encoding of m 
is 0. Unfortunately this is not good enough. The reason is that P and the verifiers are not 
necessarily synchronized. For instance, assume we encode m = into c = 010101... 01 and m' = 1 
into d = 101010... 10, and authentication works by doing wAUTH e bit-wise on all the bits of the 
encoded message. If P wants to substitute m = by m! = 1 then he can simply do the following. He 
tries to authenticate the first bit 1 of d towards the verifiers by means of an impersonation attack. 
If he succeeds, which he can with constant probability, he simply authenticates the remaining bits 
01010. ..10 of d by using P, who is happy to authenticate all of the bits of c = 010101. ..01. Because 
of this issue of P bringing P and the verifiers out of sync, we need to be more careful about the 
exact encoding we use. 

7.2 Secure Position-Based Authentication Scheme 

We specify a special class of codes, which is strong enough for our purpose. 

Definition 7.2. Let c G {0,1}^. A vector e G { — 1,0, 1} 2N is called an embedding of c if by 

removing all the —1 entries in e we obtain c. Furthermore, for two strings c,d G {0, 1}^ we say 
that d A-dominates c if for all embeddings e and d of c and d (at least) one of the following holds: 
(a) the number of positions i G {1, . . . ,2N} for which d i = 1 and ej < 1 is at least A, or (b) there 
exist a consecutive sequence of indices I such that the set J = {% G I : e' i > —1} has size \ J\ > 4A 
and it contains at least A indices i G J with = —1. 

For instance, let c = 00...011...1 and d = 11...1 00...0, where the blocks of 0's and l's are of 
length N/2. It is not hard to see that the two codewords iV/4-dominate each other. However, 
d = 0101. ..01 does not dominate c = 1010. ..10, since c' can be embedded into |0101...01||...| and 
c into 1010...10tt--4i where here and later we use % to represent —1. 

Definition 7.3. A code C is A-dominating, if any two codewords in C X-dominate each other. 

We note that the requirement for A-dominating codes can be relaxed in various ways to allow 
a greater range of codes. 

Let wAUThF be the above weak authentication scheme satisfying Lemma 7.1. In order to 
authenticate a message m G {0, 1} M in a strong way (with A a security parameter), an encoding c 
of m using a A-dominating code C is bit-wise authenticated by means of wAUTH £ , and the verifiers 
perform statistics over the number of _Ls received. The resulting authentication scheme is given in 
Figure 5; as for the weak scheme, we assume that the message m has already been communicated. 



0. 


P and the verifiers encode m into a codeword c = (ci, . . . , cjv) € C , for a A-dominating code C . 


1. 


For j = 1, . . . , JV, the following is repeated in sequence. 






1.1 P authenticates Cj by means of wAUTH e . Let ij be the corresponding tag 


received. 




1.2 If j > 4A, the verifiers compute n±(j) = \ {i G {j — 4A, . . . , j} : Ci — A t t 


= -L}|- 


2. 


If any of the wAUTH e executions fails, or if n±(j) > 8qX for some round j 


> 4A, the verifiers 




jointly 






reject. Otherwise, m is accepted. 





Figure 5: A generic position-based authentication scheme AUTH. 
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Theorem 7.4. The generic position-based authentication scheme AUTH (Figure 5) is Ne 2qX - 
complete. 

Proof. An honest prover which follows the above scheme can fail only if for some round r, n± > 8qX. 
Using the Chernoff bound [Che52], the probability of having n± > 8gA at a specific round r, is 
upper bounded by e~ 2qX . Using the union bound for every possible round j, we can bound the 
failure probability with Ne~ 2qX . □ 

Before we analyze the security of the authentication scheme, let us discuss the possible attacks 
on it. We treat P as a single identity, however P represents a collaboration of adversaries. Similarly, 
we refer the k + 1 verifiers as a single entity, V. We point out that we do not assume that honest 
P and V have synchronized clocks. Therefore, we allow P to arbitrarily schedule and interleave 
the N executions of wAUTH e that V performs with the N executions that P performs. The only 
restriction on the scheduling is that P and V perform their executions of wAUTH e in the specified 
order. 

This means that at any point in time during the attack when P has executed wAUTH e for the bits 
c\, . . . , Cj-_i and V has executed wAUTH e for the bits c[, . . . , <^/_ 1 and both are momentarily inactive 
(at the beginning of the attack: j = j' = 1), P can perform one of the following three actions. (1) 
Activate V to run wAUTH e on d-, but not activate P; this corresponds to an impersonation attack. 
(2) Activate V to run wAUTH e on c'j, and activate P to run wAUTH e on Cj\ this corresponds to 
a substitution attack if cj ^ d-,. (3) Activate P to run wAUTH e on Cj but not activate V; this 
corresponds to "fast-forwarding" P. We note that P's choice on which action to perform may be 
adaptive and depend on what he has seen so far. However, since V and P execute wAUTH e for 
each position within c independently, information gathered from previous executions of wAUTH e 
does not improve P's success probability to break the next execution. 

It is easy to see that any attack with its (adaptive) choices of (1), (2) or (3) leads to embeddings 
e and e' of c and c', respectively. Indeed, start with empty strings e = e' = and update them as 
follows. For each of -P's rounds, update e by e\ and d by e'c'-, if P chooses (1), update e by ecj 
and e' by e'c'-, if he chooses (2), and update e by ecj and e' by e'\ if he chooses (3). In the end, 
complete e and e' by padding them with sufficiently many \s to have them of length 2A^. It is clear 
that the obtained e and e' are indeed valid embeddings of c and c', respectively. 

Theorem 7.5. For any e > and < q < (1 — e)/8, the generic position-based authentication 
scheme AUTH (Figure 5) is 2~^( A ) -sound in the No-PE model. 

Proof. Let m and m' / m be the messages input by P and the verifiers, respectively, and let c 
and d be their encodings. Furthermore, let e and d be their embeddings, determined (as explained 
above) by -P's attack. By the condition on the A-dominating code C we know that one of the two 
properties (a) or (b) of Definition 7.2 holds. If (a) holds, the number of positions i € {1, . . . , 2N} 
for which d i = 1 and ej G { — 1, 0} is A. In this case, by construction of the embeddings, in his attack 
P needs to authenticate (using wAUTH e ) the bit 1 at least A times (by means of an impersonation 
or a substitution attack). By Lemma 2, the success probability of P is thus at most 5 X , which is 
2~n(A)_ j n cage -^hgj-g property (b) holds, there exists a consecutive sequence of indices I such 
that the set J = {i G I : e- > — 1} has size | J| > 4A and contains at least A indices i G J with 
ej = —1. For any such index i 6 J with e, = —1, P needs to authenticate (using wAUTH e ) the bit 
d i by means of an impersonation attack, while he may use _L for (at most) a 8g-fraction of those 
i's. 

However, by the e-soundness of PV £ , if we require e < 1 — 8q, the probability of P succeeding 
in this attack is exponentially small in A. □ 
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A possible choice for a dominating code for /x-bit messages is the balanced repetition code C^ BR , 
obtained by applying the code C £ _ BR = {00..011..1, 11..100..0} C {0, l} 2i bit-wise. 

Lemma 7.6. For any I and (i, the balanced repetition code C^ BR is I j '4- dominating. 

Proof. Let c, d G {0, l} 2 ^ be two distinct code words from C^ BR , and let e and ef be their respective 
embeddings. Note that c is made up of blocks of O's and l's of length I. Correspondingly, e is 
made up of blocks of O's and l's of length £, with J's inserted at various positions. Let I\, . . . , Ii^ 
be the index sets that describe these and 1-blocks of e. In other words, they satisfy: Ij < Ij + \ 
element-wise, \Ij\ = i, and {e^ : i G Ij} equals {0} or {1}. Furthermore, the sequence of e^'s with 
i G I\ U . . . U equals c, and as such, for any odd j, one of Ij and Ij+i is a 0-block and one 
a 1-block. Let (f> : {1, ...,//} — > {1, . . . , be the function such that Im) is the /c-th 1-block in 
h, ■ ■ ■ , hfi- The corresponding we can do with c' and e' , resulting in blocks I' 2 and function 

4>'. For any j, we define ci(J') to be the smallest "interval" in {1, . . . ,4/x£} that contains Ij. 

For 1-blocks and I'-,, we say that Ij overlaps with Ij, if \Ij n c/(Ij,)| > 3£/4. We make the 
following case distinction. 

Case 1: I$(k') does not overlap with I'^r k i\ for some k' . If all the indices in I^f.') \ c ^(-^>'(fc')) 
are larger than those in cl(I'^if k /\), then e\ = 1 for all i G ^'m U . . . U I'^ir k n but < 1 for at least 
1/4 of these z's. A similar argument can be used when all these indices are smaller than those in 
cl(I^ k ,^). If neither of the above holds, then e\ = 1 for all i G I'^in-i) but ei < 1 for at least ^/4 of 
these Vs. Hence, property (a) of Definition 7.2 is satisfied (with parameter ^/4). 

Case 2: I^k) overlaps with I'^in^ for every k. Since c and c' are distinct, and by the structure 
of the code, there must exist two subsequent 1-blocks I^k) an d Im+i) such that the number of 
0-blocks between I^k) an d I^^+i) is strictly smaller than the number of 0-blocks between the 
corresponding 1-blocks I'^i^ and If there is no 0-block between I^k) an d I^k+i) an d 

(at least) one 0-block between I'^ija a nd I^/( fe+1 ) then by the assumption on the overlap, at least 
half of the indices i in the 0-block I'^^+i satisfy = f. If there is one 0-block between I^k) 
and I<f,(k+1) an d two 0-blocks between I'^iqa a nd 1'^, / fe+: n then at least a quarter of the indices 
z G U I'^in^ + 2 satisfy = f . In both (sub)cases, property (b) of Definition 7.2 is satisfied 

(with A = £/4). " □ 

Plugging in the concrete secure positioning scheme from Section 6.3, we obtain a secure real- 
ization of position-based authentication scheme in W 1 , in the No-PE model. 

7.3 Position-Based Key Exchange 

The goal of a position-based key-exchange scheme is to have the verifiers agree with honest prover 
P at location pos on a key K G {0, 1} L , in such a way that no dishonest prover has any (non- 
negligible amount of) information on K beyond its bit-length L, as long as he is not located at 
pos. 5 Formally, we require the following security properties. 

• e c - Completeness: If P is honest and at the claimed position pos, and if there is no (coalition 
of) dishonest prover (s), then P and Vo, . . . ,Vk output the same key K of positive length, 
except with probability e c . 

• e s -Security: For any position pos G Hull(pos ) • • • ,P os k) an d for an y coalition P of dishonest 
provers at locations all different to pos, the hybrid state pre, consisting of the key K output 

5 The length L of the key may depend on the course of the scheme. In particular, an adversary may enforce it to 
be 0. 
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by the verifiers and the collective quantum system of P at the end of the scheme, satisfies 
o~(pke, Pk® Pe) < £sj where K is chosen independently and at random of the same bit-length 
as K. 

Note that the security properties only ensure that the verifiers can be convinced that P has no 
information on the key they obtain; no such security is guaranteed for P. Indeed, P can always 
honestly execute the scheme with P, acting as verifiers. Also note that the security properties do 
not provide any guarantee to the verifiers that P has obtained the same key that was output by 
the verifiers, in case of an active attack by P, but this feature can always be achieved e.g. with the 
help of a position-based authentication scheme by having P send an authenticated hash of his key. 

A position-based key-exchange scheme can easily be obtained by taking any quantum key- 
distribution (QKD) scheme that requires authenticated communication, and do the authentication 
by means of a position-based authentication scheme, like the scheme from the previous section. 
One subtlety to take care of is that QKD schemes usually require two-way authentication, whereas 
position-based authentication only provides authentication from the prover to the verifiers. How- 
ever, this problem can easily be resolved as follows. Whenever the QKD scheme instructs Vq (acting 
as Alice in the QKD scheme) to send a message m in an authenticated way to P (acting as Bob), 
Vq sends m without authentication to P, but in the next step P authenticates the message m! he 
has received (supposedly m' = m) toward the verifiers, who abort and output an empty key K in 
case the authentication fails. 

Using standard BB84 QKD, we obtain a concrete position-based key-exchange scheme. The 
security of that scheme follows from the security of the BB84 protocol [LC99, BBB + 00, SPOO, 
MayOl, BOHL+05, Ren05] and of the position-based authentication scheme. 

8 Conclusion and Open Questions 

Continuing a very recent line of research [MallOa, MallOb, CFG + 10, KMS10, KenlO], we have 
given a general proof that information-theoretic position-verification quantum schemes are impos- 
sible, thereby answering an open question about the security of schemes proposed in [KMS10] to 
the negative. On the positive side, we have provided schemes secure under the assumption that 
dishonest provers do not use pre-shared entanglement. Our results naturally lead to the question: 
How much entanglement is needed in order to break position- verification protocols? Can we show 
security in the bounded-quantum-storage model [DFSS05] where adversaries are limited to store, 
say, a linear fraction of the communicated qubits? 
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A Proofs 



A.l Proof of Lemma 2.1 

In this section we prove the following lemma (Lemma 2.1): For any tri-partite state paby with 
classical Y, 

K(A\BY) = Y / Py(yW AB \B). 

y 

We first consider the case of an "empty" B. Y being classical means that pay is of the form 
PAY = ^2 y Py (y) Pa ® \y)(y\- Let us write X\,...,Xn for the eigenvalues of p v A . Note that the 
eigenvalues of pay are given by Py {y)X\ with y £ y and i £ {1, . . . , n}. It follows that 

K(pAY\Y) = K(pay) ~ H(py) = -tl(p A Y log(pAY)) + tr (py log(/)y )) 

^ £ Py {y)X\ log(iV(y)AV) - £ Mv) log (i¥(l/)) 

= - E ^(^) E A * lo sW) = E H K) • 

In general, we can conclude that 



R( P aby\BY) = R( P aby)-H(pby) = ^Py(y)H(p%) - £ Py(y) H(p^) 

2/ 2/ 

= £ Py (y) ( H(p^) - H(p|)) = £ JV(y) H(P AB \B) , 
y y 

which proves the claim. □ 



A. 2 Proof of Corollary 2.5 

By Lemma 2.1, we can write 

R(X\BE) + R(X\@F) = ±-J2k(Pxe\E) + ^ E ^{pxfW) 

e e 

= ^Y.Wxe\E) + K( p ° xf \F)). 
e 

Note that p e XE is obtained by measuring A of \iPaef) in basis 9 (and ignoring F), and p 8 XF 
is obtained by measuring A of \iPaef) hi the complementary basis 6 (and ignoring P). Hence, 
Theorem 2.4 applies and we can conclude that H(p XE \E) + H(p XF \F) > re and thus H(X|0P) + 
H(X|6F) > re. □ 



B Instantaneous Nonlocal Quantum Computation With N Parties 

We generalize the above result to any iV-party distributed computation, by generalizing Theo- 
rem 4.3 to the case of iV-parties. We assume that some distinguished user holds the system A 
and the information x £ X, while for the rest, each user p = 1 . . . N — 1 holds the system B p and 
the classical input y p £ y p . Let us call the user who holds Ha Alice, and the rest of the users U p 
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with p = 1 ... N — 1. Denote H a ii — Ha ® Hb 1 <£> • • • ® Hb n _i- The parties share an arbitrary 
and unknown state |V>) E ®He, and a unitary operation £7 defined on "H a «- The unitary {7 is 
determined by x and out of some fixed family of unitaries. 

Theorem B.l. For every family {U Xi y lr ,, iyN1 \ of unitaries defined on H a u and for every e > 0, 
given sufficiently many pairwise shared EPR pairs, there exist families {Ax}, {B yi }, ■ ■ ■, {By"}^} 
of local operations, acting on Alice's and U p 's respective sides, with the following property. For 
any initial state \ip) E H a ii ® He and for every x E X and y±, . . . , yjv-i £ X ■•• x 
the joint execution A x <S> B yi <8> ■ ■ ■ ® By~^ transforms the state \ip} into \ip') and provides classical 
outputs k to Alice and £ p to IA V , such that the following holds except with probability e. The state \<p') 
coincides with \ip) = {Ux,yi,...,y N -\ U P t° local qubit-wise operations on systems A and B p 

for p = 1 . . . N — 1, that are determined by k and {£ p }. 

Proof. As in the two-party case, we may assume that Alice holds and that for each player U p , 
dim rls.p = 1- Furthermore, we assume that the joint state of A and {B p } is pure, and thus we may 
ignore system E. We prove the theorem by induction on the number of parties. As we have already 
proven the above for N = 2 (and the case of N = 1 is trivial), let us assume that the proposition 
holds for N = c and show it also holds for N = c + 1. 

1. Alice begins by teleporting the state to U\ through teleportation channel number x she 
shares with IA\. Let k Q E {0, 1, 2, 3} n be the outcome of her measurement performed during 
the teleportation. 

2. For every i = 1 . . . \X\, denote with \<pi) the state at Z^i's end of the i th teleportation channel. 
Next, for i = 1,... ,\X\, users IA\ to IA C perform the scheme given by the induction assumption 6 
on the input state \ipi) with respective classical information ((£, y\), ?/2, 2/3, . . . , y c ), and with 
{Uy-L y c := £4;=i,2/i,...,2/ c } being the family of unitaries. At the end of the induction step 
U\ holds the state |^) and each of U p obtains a classical output i 1 , 7 such that for every i the 
state coincides with (U x= i Vl VN _ 1 up to local qubit-wise operations determined 

by (4>. 

3. For every i, IA\ teleports |^} back to Alice, using teleportation channel number \X\ + i. Let 
£o,i E {0, 1, 2, 3} n be the outcome of his measurement performed during the teleportation. 

4. Alice specifies the state at her end of teleportation channel number \X\ +x to be the state \tp') . 

Clearly, if k D = • • • then the parties IA\, . . . ,1A C on teleportation channel i = x perform instanta- 
neous quantum computation of the the unitary U Xiyi ___ s y c on the state \ip), obtaining the state \(p' x ) 
which coincides with U x yi ... y c \ip) up to some local qubit-wise operations determined by their clas- 
sical outputs If,. . . ,i x c , that is, \ip' x ) = W^ i ...^g£7 3 ; ) j /li ... i2/c |t/>), where W is a tensor product of Pauli 
matrices determined by their classical input. The state \ip') obtained by Alice at the \X\ + x tele- 
portation channel coincides with \<p' x ) up to local qubit-wise operations determined by £ .x, which 
proves the theorem for this case. 

On the other hand, assume k a 7^ • • • 0, then by the induction assumption 

W) = y£o, x Wq t „. ti xU x> y u ^y c V ka \i/j) 

= yeo, x W q ^ c U xm ^y c V ko Ul yi ^ y J^) 

6 To be more precise, the scheme is performed with the given instance U, reduced to the case of c classical inputs, 
by "merging" the first two inputs, i.e., {U zl . Z2 ,..., Za } zie{Xx y lhZ2e y 2i .,. :Zce y c . 

7 For simplifying notation, we denote by £\ the classical information k l that U\ obtains when acting as the distin- 
guished user in the scheme given by the induction assumption. 
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where Ve a x and Vk a are tensor products of Pauli matrices, and Wq t .../x is the local qubit-wise 
(Pauli) operations asserted by the induction assumption. Thus, setting \tp') := \ip'), x' := (x,k ), 
y[ := (yxjojf) and y' p := (y p ,£%) for p = 2...C, and letting 

the state \<p) can be written as \(p) = U' , , , \ ip'). Again, we are back to the original problem of 
applying a unitary, U' , , , , to a state, held by Alice, where the unitary depends on classical 
information x' and {y' p }, known by Alice and the users U p , respectively. We complete the proof 
by recalling that the success probability per round is constant which depends only on dim% a ^. 
Assuming sufficient number of pairwise shared EPR pairs, re-applying the above procedure suffi- 
ciently many times to the resulting new problem instances guarantees that except with arbitrary 
small probability, the state \(p') will be of the required form at some point. □ 



27 



